The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I'm having difficulty wrapping my mind around the whole concept of securing session variables. What sorts of basic steps do you guys take to protect session variables?

-sp0om

Unlike cookies, which are stored by the client (the web browser), session variables are stored on the server. By default, when PHP creates a session it creates a new file in a temporary directory (usually /tmp), which it reads every time the session is open. A garbage collection process deletes the files automatically after a certain time passes, which effectively 'times out' the sessions.

All the browser sends back with each request is the session identifier given to it when you started the session. So unlike cookies, session variables can't be directly edited by the user.

There is still a security concern though if you're in a shared web hosting environment -- everyone's PHP scripts store their sessions to the same location by default, and they're not tied to any account. Anyone on the server can read your user's sessions.

If you check out the sessions portion of the PHP manual, there are settings for changing how and where session data is stored if you are interested.

Sometimes it's safer to use a custom php class for storing session data in your database. This way, your session files are not sitting in some /tmp. By using a combination of SSL and sessions stored in your db, you can feel a little more secured.

How about this. When a user successfully logs in, I'll change a field in the user_information table to indicate he/she successfully logged in. On each page requiring a valid login, I'll run a function that checks the database to verify a valid login. So if a session is hijacked, it will only be usable while a user is logged in?

Also, how do I view other session variables on my webserver? Not for hacking purposes, but if I know how to do this stuff, I'll better be able to protect myself. I've looked in my tmp directory, but ... yeah. I'm confused.

I would have a function that generates a random string of 20 or 30 alphanumaric charachters. Send it as a cookie to the user, and insert it into a table with the user's name and a timestamp of when they logged in. For each page they visit, look for the cookie. If it is found, query the database for the alphanumaric code. If that is found, get the username and you will know that the user is logged in. You can use the timestamp to make the sessions expire after a certain amount of time.